|
-
July 24th, 2004, 04:35 PM
#1
SQL.DLL trojan?
Here's one that I haven't seen before. Anyone have any info on this?
Symantec Corp AV 8.1 picks up C:\WINDOWS\SYSTEM32\SQL.DLL as a trojan backdoor.
I've scanned the machine and peaked around but nothing seems to yield any real clues. The other interesting thing is that the AV sig updates no longer work.
Before I get myself knee deep in analysis, I figured I try to take a shortcut and see if anyone knows what this is. After all, it is the weekend. 
Thanks
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 24th, 2004, 04:41 PM
#2
Hrmm, sound's awfully familiar. There are many of those WINDOWS\SYSTEM32\ file name's that get turned around (the file extension, name, etc) to be made into trojan horse application's/backdoor's. This one doesn't sound all to familiar and isn't present on any of my machine's.
TheHorse: Are you running any MYSQL service's or the like on a webserver or whatnot? That wouldn't answer it completely though, would it? Hrmm.. Ahh it's too early in the morning for me to be thinking  . Anyway's, my guess is that it's your common "\System32" trojan if ya catch me.
-
July 24th, 2004, 04:59 PM
#3
Nah, no SQL anything. This is just a standard workstation used for e-mail and word processing.
I've gone through the basic motions on this thing (process exploring, etc.) but I guess I'll have to do some real digging. I've only seen one reference to this on a French website.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 24th, 2004, 04:59 PM
#4
It's a common .dll for the new nasty CWS to call itself. You may want to run a HijackThis log and see what pops up. Are you experiencing any redirects by any chance?
-
July 24th, 2004, 05:03 PM
#5
hi
A while ago my AVG caught a similar file and it called it BackDoor Agent.B something like that ........
I found this info on how to remove it ....the last post of this thread might be of interest to you
http://www.computing.net/security/ww...rum/10974.html
-
July 24th, 2004, 09:11 PM
#6
Thanks for all the help gang. After looking a little deeper, (which I didn't want to do on a Saturday) I found that the little bitch is searchx.cc. I manually removed the ****er and all is well in Oz.
EDIT: I got 3 PMs about this same issue. I had to use Killbox.exe to dump sql.dll at bootup because it just would not shake loose any other way. You can get the proggie from here:
http://www.downloads.subrantum.org/KillBox.zip
I also dumped all references to sql.dll from the registry after the above step. This took me about 3 hours to sort out but hey, I can't walk away from things like this.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote